There is a requirement to send Audit and Security logs to a SIEM.
VMware Aria Operations for Logs 8.18.x
Customization of SIEM filtering logic and specific event selection of this type falls outside the standard scope of Global Services support.
The following is a basic list of vCenter audit-related events.
1. Authentication and Session Events
UserLoginSessionEvent: Successful login.
BadUsernameSessionEvent: Failed login (bad username/password).
UserLogoutSessionEvent: Explicit logout.
AlreadyAuthenticatedSessionEvent: Re-authentication of an existing session.
2. Authorization and Permission Modifications
PermissionAddedEvent: A new permission was granted to a user or group.
PermissionUpdatedEvent: Existing permission modified.
PermissionRemovedEvent: Permission revoked.
RoleAddedEvent: A new custom role was created.
RoleUpdatedEvent: Privileges modified on a role.
RoleRemovedEvent: Role deleted.
3. Host State and Configuration
HostConnectedEvent: Host added or reconnected to vCenter.
HostDisconnectedEvent: Host lost connection to vCenter.
EnteredMaintenanceModeEvent: Host placed into maintenance mode.
ExitMaintenanceModeEvent: Host removed from maintenance mode.
4. Virtual Machine Lifecycle and Security
VmCreatedEvent: VM deployed from scratch.
VmRemovedEvent: VM deleted from disk.
VmReconfiguredEvent: VM hardware or settings changed (e.g., adding a NIC, altering a port group, modifying CPU/RAM).
VmPoweredOnEvent: VM started.
VmClonedEvent: VM duplicated.
Please ensure basic network connectivity between the Operations for Logs instance and the SIEM. A 'curl' command will confirm this.
curl -v telnet://<SIEM_FQDN>:<PORT>